Getting Started with Windows Autopilot – Intune - Checklist

Windows Autopilot is a powerful tool for streamlining the deployment of new Windows devices—automating the configuration process and reducing IT overhead. But before jumping into testing or production use, it’s essential to ensure your environment is properly prepared.

 This guide provides a step-by-step checklist to help you establish a solid foundation for Autopilot in a lab or pilot environment. Whether you're just testing or building toward a larger rollout, these are the key setup steps you don’t want to miss.

 

 ✅ 1. Licensing: Don’t Skip This Step

Before anything else, your users must be properly licensed. Autopilot functionality depends on Microsoft 365 licenses such as:

 * Microsoft 365 Business Premium

* Microsoft 365 E3 / E5

* Education SKUs (A3/A5)

 Best Practice:

Create a security group (e.g., `Licensed Users`) and assign licenses to the group. This simplifies license management at scale.

 Steps:

 1. Go to [admin.microsoft.com](https://admin.microsoft.com)

2. Navigate to Billing > Licenses

3. Select your license (e.g., Microsoft 365 E5)

4. Choose Assign to Groups

5. Select your `Licensed Users` group

  🔐 2. Configure Enrollment Settings

Autopilot relies on Microsoft Entra ID (Azure AD) and Intune for enrollment.

# Entra ID Device Settings:

 1. Visit [entra.microsoft.com](https://entra.microsoft.com)

2. Go to Devices > Device Settings

3. Set Users may join devices to Entra ID → `All`

4. (Optional but Recommended) Enable Require Multi-Factor Auth

 # Intune Automatic Enrollment:

1. Go to Devices > Enrollment > Automatic Enrollment

2. Set MDM User Scope to `All`

3. Click Save

 

 🌐 3. Verify CNAME Validation (For Custom Domains)

 

If you're using a branded domain (e.g., `yourcompany.com`), a CNAME DNS record is required for seamless MDM enrollment.

 Check CNAME Validation:

 1. In Intune, go to Devices > Enrollment > CNAME Validation

2. Enter your domain and click Test

3. A green check = success

 

📌 *This step is typically handled by whoever manages your domain and DNS records.*

 

 🔒 4. Set Platform Restrictions & Device Limits

 You want to make sure only corporate-managed devices are being enrolled—especially in a test or production scenario.

 Steps:

 1. Go to Devices > Enrollment > Platform Restrictions

2. Edit the default policy under All Users

3. Block personally owned Windows devices

4. Set device limit (e.g., 3–5 devices per user)

 

 🧭 5. Create an Autopilot Deployment Profile

 Deployment profiles define the user experience during device setup.

 Steps:

 1. Go to Devices > Windows > Windows Enrollment > Deployment Profiles

2. Click + Create Profile

3. Choose Windows PC and User-Driven Mode

4. Hide OOBE elements (e.g., EULA, privacy settings) for simplicity

5. Assign to a dynamic device group

 🔁 Example:

Create a group like `Autopilot Devices` with a dynamic membership rule based on the device's Autopilot tag.

 

 ⚙️ 6. Apply Basic Device Configuration

 Enforce baseline security and usability settings.

 To Configure:

 1. Go to Devices > Windows > Configuration Profiles

2. Create a policy using Device Restrictions

3. Apply to your Autopilot group

 Recommended Settings:

 * Disable developer mode

* Block Game DVR

* Prevent adding personal Microsoft accounts

* Block manual unenrollment

* Disable removable storage and internet sharing

 

 📦 7. Deploy Test Applications

 Add essential apps to verify app deployment and ESP functionality.

 Steps:

 1. Go to Apps > Windows > Add > Store App (New)

2. Use WinGet to deploy:

    * Firefox

   * Visual Studio Code

   * Company Portal

 

💡 *Company Portal is key for self-service app access.*

 

 🔄 8. Set Up Windows Update Rings

 Ensure devices stay up to date—but on your terms.

 Steps:

 

1. Go to Devices > Windows > Windows Update > Update Rings

2. Create a profile (e.g., `Lab Update Ring`)

3. Key settings:

    * Feature updates deferral: 0 days

   * Quality updates deferral: 7 days

   * Disable preview builds

 

Apply the ring to your Autopilot group.

 

 📋 9. Define Device Compliance Policies

 

Compliance policies help track device health and enforce Conditional Access.

 Steps:

 1. Go to Devices > Compliance Policies

2. Choose Windows 10/11

3. Set rules like:

    * Require BitLocker

   * Enforce Secure Boot

   * Require storage encryption

Apply this policy to your Autopilot devices.

 

 🧪 10. Configure the Enrollment Status Page (ESP)

 

ESP ensures required policies and apps are installed before the user reaches the desktop.

 

1. Navigate to Devices > Enrollment > Windows Autopilot > Enrollment Status Page

2. Edit the default profile

3. Turn ESP ON

4. Enable block device use until setup completes

5. Select required apps to install before allowing access

 📌 Example:

 

* Required: Firefox, Company Portal

* Optional: Visual Studio Code

 

 🏁 Wrapping Up: A Solid Foundation

 With these 10 steps, your Autopilot lab (or pilot deployment) is ready for real testing. This isn't just a configuration guide—it's a practical starting point for modern provisioning.

 You'll likely tweak and expand on this as your environment evolves, but if you follow this checklist, you’ll avoid the most common roadblocks and be well-positioned for success.

  💬 Your Turn

 Have your own favorite tweaks or additions to Autopilot setup? Drop them in the comments or share how your tenant is structured—we all benefit from shared insights.

 

Compare Content Between SCCM DPs Using SQL Queries

 In enterprise environments using Microsoft Configuration Manager (SCCM), ensuring content consistency across Distribution Points (DPs) is crucial for reliable software deployments, operating system imaging, and patching. When introducing a new DP or auditing content, it's helpful to compare what content is available on one DP versus another.

This post provides a practical SQL query to compare two DPs and list packages that are available on one but missing from the other.

---

📌 Goal

We aim to:

• Compare content between:
• SCCMDP1 (source/master DP)
• SCCMCP2 (target/secondary DP)
• Identify which packages exist on SCCMDP1 but do not exist on SCCMCP2
• Output key details: PackageID, Name, and Type

---

🧠 SQL Query Logic

We utilize SCCM database views:

• v_Package – lists package metadata
• v_DistributionPoint – maps packages to the DPs where they are distributed

---

🧾 SQL Query

SELECT

    Pkg.PackageID,

    Pkg.Name,

    CASE Pkg.PackageType

        WHEN 0 THEN 'Package'

        WHEN 3 THEN 'Driver'

        WHEN 4 THEN 'Task Sequence'

        WHEN 5 THEN 'Software Update'

        WHEN 7 THEN 'Virtual Application'

        WHEN 8 THEN 'Application'

        WHEN 257 THEN 'Image'

        WHEN 258 THEN 'Boot Image'

        WHEN 259 THEN 'Operating System Installer'

        ELSE 'Unknown'

    END AS PackageType

FROM v_Package Pkg

WHERE Pkg.PackageID IN (

    SELECT PackageID

    FROM v_DistributionPoint

    WHERE ServerNALPath LIKE '%SCCMDP1%' -- Source DP

    AND PackageID NOT IN (

        SELECT PackageID

        FROM v_DistributionPoint

        WHERE ServerNALPath LIKE '%SCCMCP2%' -- Target DP

    )

)

ORDER BY PackageType;

---

🧪 Example Output

PackageID	Name	PackageType
ABC00001	Windows 11 Deployment TS	Task Sequence
DRV00200	Dell Latitude 5530 Driver	Driver
APP00345	Adobe Reader Install	Application

---

🛠️ Usage Instructions

1. Open SQL Server Management Studio (SSMS).
2. Connect to your SCCM Site Database (typically CM_<SiteCode>).
3. Paste and execute the query.
4. Review the list to determine what content is missing on SCCMCP2.

---

🔄 Optional Variations

• Reverse the comparison by swapping SCCMDP1 and SCCMCP2.
• Compare multiple DPs using more advanced JOIN logic or CTEs.
• Add columns from v_PackageStatusDistPointsSumm for package status on each DP.

---

✅ Conclusion

This query provides a quick and reliable way to audit SCCM Distribution Point content, especially when:

• Migrating from one DP to another
• Validating replication status
• Troubleshooting missing content on clients

Keeping DPs in sync ensures faster content access and fewer deployment failures across your SCCM-managed environment.

Windows 11 Upgrade with Intune: Prerequisites and Troubleshooting

 As Microsoft ends support for Windows 10 in October 2025, organizations must start preparing to upgrade their Windows 10 devices to Windows 11. Devices that do not meet the hardware requirements for Windows 11 must either be replaced or covered under an Extended Security Update (ESU) program, which will come at an added cost.

This guide will walk you through the upgrade readiness, hardware prerequisites, known compatibility issues, and how to troubleshoot feature upgrade deployments using Microsoft Intune.

---

⚙️ Upgrade Options

Organizations have three primary choices moving forward:

1. Upgrade to Windows 11 – For supported hardware.
2. Replace hardware – Devices that do not meet Windows 11 requirements.
3. Purchase ESU (Extended Security Updates) – For legacy systems that must remain on Windows 10.

---

✅ Windows 11 Hardware Requirements

To ensure a smooth upgrade to Windows 11, devices must meet the following minimum system requirements:

• RAM: 4 GB or more
• Storage: 64 GB or more
• Firmware: UEFI capable with Secure Boot enabled
• TPM: Trusted Platform Module (TPM) version 2.0
• CPU: 8th Gen Intel or newer (Note: Devices purchased before 2017 are likely unsupported)

💡 Tip: Use Intune’s Windows 11 readiness report under:

Reports → Endpoint Analytics → Work from anywhere → Windows 11 readiness

This will help you quickly identify unsupported devices.

---

⚠️ Application Compatibility and Known Issues

1. Credential Guard Impact on MSCHAPv2-Based Wi-Fi

• Issue: Breaks traditional MSCHAPv2 authentication (common in enterprise WPA2).
• Workaround: Migrate to EAP-TLS using Intune to deploy PKCS or SCEP-based certificates.

2. Memory Integrity and Driver Incompatibility

• Issue: Memory Integrity (HVCI) can block old or unsigned drivers, causing blue screen errors (BSOD) or app failures.
• Solution: Update or replace legacy drivers before enabling Memory Integrity.

---

📊 Intune Reports to Review Before Upgrading

Before deploying the Windows 11 Feature Upgrade policy, review the following reports in Intune:

1. Windows feature update device readiness
2. Windows feature update compatibility risks

If the device does not appear in these reports or is flagged with compatibility risks, upgrading via Intune may fail or remain in an “offering” state.

---

🧰 Troubleshooting Windows 11 Feature Upgrade Failures with SetupDiag

If an upgrade appears to stall or fail, Microsoft’s SetupDiag tool is your best diagnostic resource.

Use On-Demand Remediation Scripts via Intune

Create a Proactive Remediation script in Intune to automate SetupDiag log collection. Here's a sample PowerShell script you can deploy:

🔧 Remediation Script Sample – Collect SetupDiag Logs

# Remediation Script to run SetupDiag and collect logs

$setupDiagUrl = "https://aka.ms/SetupDiag"

$destination = "$env:ProgramData\SetupDiag"

 

# Create directory if not exists

if (!(Test-Path -Path $destination)) {

    New-Item -ItemType Directory -Path $destination -Force

}

 

# Download SetupDiag.exe

Invoke-WebRequest -Uri $setupDiagUrl -OutFile "$destination\SetupDiag.exe"

 

# Run SetupDiag and save logs

Start-Process -FilePath "$destination\SetupDiag.exe" -ArgumentList "/Output:$destination\SetupDiagResults.xml" -Wait

 

# Optional: Copy logs to network share (example path)

# Copy-Item -Path "$destination\SetupDiagResults.xml" -Destination "\\yourfileserver\logs\$env:COMPUTERNAME.xml"

✅ Detection Script Sample – Check if SetupDiag Log Exists

$logPath = "$env:ProgramData\SetupDiag\SetupDiagResults.xml"

 

if (Test-Path -Path $logPath) {

    Write-Output "SetupDiag log exists."

    exit 0

} else {

    Write-Output "SetupDiag log missing."

    exit 1

}

How to Deploy in Intune:

1. Go to Endpoint Security → Proactive Remediations.
2. Create a new script package.
3. Upload the detection and remediation scripts.
4. Assign it to the target device group.
5. Review the execution status in Intune > Reports.

Once logs are collected, open the .xml file and review the blockers or compatibility errors (e.g., drivers, apps, or TPM issues) that caused upgrade failures.

---

🚀 Force Windows 11 24H2 Upgrade via PowerShell

If the device is eligible and the upgrade is still not applying, you can use the following script to force the 24H2 Windows 11 upgrade:

🔗 GitHub: Force Windows 11 24H2 Update Script

This script is ideal for:

• Remote remediation
• One-time on-demand upgrade
• Skipping upgrade delays in Windows Update for Business (WUfB)

---

📝 Summary Table

Area	Details
Deadline	Windows 10 EOL: October 2025
Upgrade Options	Windows 11, New Hardware, or ESU Licensing
Pre-checks	Use Intune readiness and compatibility reports
Known Issues	Credential Guard Wi-Fi issues, Memory Integrity blocking old drivers
Troubleshooting Tool	SetupDiag + Intune remediation
Force Upgrade Script	GitHub: Windows 11 24H2 Upgrade Script

---

📌 Final Recommendations

• Start auditing today with Intune readiness reports.
• Replace or repurpose unsupported devices ahead of Q3 2025.
• Pilot Windows 11 upgrades in phases using Feature Update Rings in Intune.
• Use SetupDiag automation for ongoing upgrade issue visibility.
• Communicate the upgrade strategy across the organization early.

SCCM SQL Query to Report Application Deployment Status Per Device

 

SCCM SQL Query to Report Application Deployment Status Per Device

In enterprise environments, monitoring application deployment results is crucial for ensuring successful software rollouts and troubleshooting failed installations. System Center Configuration Manager (SCCM) provides a rich set of SQL views that allow administrators to extract detailed deployment information.

This blog post walks through a powerful SQL query that retrieves comprehensive deployment status details for applications assigned to specific devices or users.

---

🔍 Purpose of the Query

The purpose of this query is to generate a detailed report that includes:

• Device and user information
• Operating System details
• Assigned application and collection name
• Deployment status (e.g., Success, In Progress, Error)
• Last enforcement and compliance message timestamps

This helps administrators quickly determine the current state of application deployments across targeted machines.

---

📄 The SQL Query

SELECT DISTINCT

    vrs.Name0 AS [Computer Name],

    vgos.Caption0 AS [OS],

    vrs.User_Name0 AS [User Name],

    vrs.Ad_site_name0 AS [AD Site Name],

    lac.DisplayName AS [Application Name],

    CollectionName,

    IIF(

        vAppDeploymentResultsPerClient.EnforcementState = 1001, 'Installation Success',

        IIF(

            vAppDeploymentResultsPerClient.EnforcementState >= 1000 AND vAppDeploymentResultsPerClient.EnforcementState < 2000 AND vAppDeploymentResultsPerClient.EnforcementState <> 1001, 'Installation Success',

            IIF(

                vAppDeploymentResultsPerClient.EnforcementState >= 2000 AND vAppDeploymentResultsPerClient.EnforcementState < 3000, 'In Progress',

                IIF(

                    vAppDeploymentResultsPerClient.EnforcementState >= 3000 AND vAppDeploymentResultsPerClient.EnforcementState < 4000, 'Requirements Not Met',

                    IIF(

                        vAppDeploymentResultsPerClient.EnforcementState >= 4000 AND vAppDeploymentResultsPerClient.EnforcementState < 5000, 'Unknown',

                        IIF(

                            vAppDeploymentResultsPerClient.EnforcementState >= 5000 AND vAppDeploymentResultsPerClient.EnforcementState < 6000, 'Error',

                            'Unknown'

                        )

                    )

                )

            )

        )

    ) AS [Status],

    LastEnforcementMessageTime AS [LastEnfMessageTime],

    LastComplianceMessageTime AS [LastComMessageTime]

FROM dbo.v_R_System AS vrs

LEFT JOIN (dbo.vAppDeploymentResultsPerClient

    LEFT JOIN v_CIAssignment ON dbo.vAppDeploymentResultsPerClient.AssignmentID = v_CIAssignment.AssignmentID)

    ON vrs.ResourceID = dbo.vAppDeploymentResultsPerClient.ResourceID

LEFT JOIN dbo.fn_ListApplicationCIs(1033) lac ON lac.CI_ID = dbo.vAppDeploymentResultsPerClient.CI_ID

LEFT JOIN dbo.v_GS_WORKSTATION_STATUS AS vgws ON vgws.ResourceID = vrs.ResourceID

LEFT JOIN v_FullCollectionMembership coll ON coll.ResourceID = vrs.ResourceID

LEFT JOIN dbo.v_GS_OPERATING_SYSTEM AS vgos ON vgos.ResourceID = vrs.ResourceID

LEFT JOIN v_CICurrentComplianceStatus ci2 ON ci2.CI_ID = vAppDeploymentResultsPerClient.CI_ID AND ci2.ResourceID = vrs.ResourceID

WHERE

    vAppDeploymentResultsPerClient.AssignmentID IN ('ID') AND

    vrs.Name0 IN ('User Name') AND

    CollectionName = 'Collection'

---

🔧 Query Breakdown

• v_R_System (vrs): Core system view providing details like computer name, user name, and AD site.
• vAppDeploymentResultsPerClient: Contains application deployment status per client.
• fn_ListApplicationCIs(1033): Retrieves application names based on configuration item (CI) IDs.
• v_GS_OPERATING_SYSTEM (vgos): Provides OS information of the client.
• v_CIAssignment: Stores deployment assignment details.
• v_CICurrentComplianceStatus: Shows compliance status for the CI.
• v_FullCollectionMembership: Maps devices to their collections.

---

📊 Deployment Status Mapping

Enforcement State Range	Status Description
= 1001	Installation Success
1000–1999 (≠1001)	Installation Success
2000–2999	In Progress
3000–3999	Requirements Not Met
4000–4999	Unknown
5000–5999	Error
Other	Unknown

---

🎯 Use Case Scenario

This query is useful when you want to:

• Audit application deployment success/failure
• Troubleshoot issues in a specific device or collection
• Generate deployment compliance reports
• Identify pending or in-progress installations

Simply replace the following placeholders in the WHERE clause:

• 'ID' → Your application deployment AssignmentID
• 'User Name' → List of device names or users
• 'Collection' → Target SCCM collection name

---

📝 Final Notes

• Ensure that you run this query in the SCCM database context (typically CM_<SiteCode>).
• Add additional filters or joins (like deployment types or deadlines) based on your reporting needs.
• You can export this data to Power BI or Excel for further visualization.

---

SQL Script to List SCCM Applications Details

---

📘 Overview

In SCCM (Microsoft Endpoint Configuration Manager), gaining a clear view of your applications, their deployment types, source content, and install/uninstall behaviors is critical for maintaining a healthy environment. Whether you are auditing your environment, troubleshooting deployment issues, or preparing for a migration, having a detailed application inventory is a must.

In this blog post, we’ll walk through a powerful SQL query that pulls application metadata, deployment information, content size, install/uninstall commands, and more — directly from your SCCM database.

---

🔍 What This Query Does

This SQL query retrieves:

• Application name and description
• Deployment type details
• Source path and size
• Status (Active/Retired)
• Install and uninstall command lines
• Detection method
• Admin comments and metadata

All tied together using SCCM’s AppModel and CI relationships.

---

📋 The SQL Query

DECLARE @LocaleID INT = (SELECT LocaleID FROM vSMSData);

 

WITH XMLNAMESPACES (DEFAULT 'http://schemas.microsoft.com/SystemCenterConfigurationManager/2009/AppMgmtDigest')

SELECT

    app.DisplayName AS ApplicationName,

    pkg.PackageID,

    CASE

        WHEN dtt.IsExpired LIKE '1' THEN 'Retired'

        ELSE 'Active'

    END AS [Application Status],

    cp.SourceSize AS [Source Size in KB],

    app.Description,

    ad.AdminComments,

    Dtt.DisplayName AS [DeploymentTypeName],

    Dtt.Technology,

    dt.CI_ID,

    dt.SDMPackageDigest.value('(/AppMgmtDigest/DeploymentType/Title)[1]', 'nvarchar(max)') AS [DeploymentTypeName],

    ab.NumberOfDeploymentTypes AS [No of Deployments],

    dt.SDMPackageDigest.value('(/AppMgmtDigest/DeploymentType/Installer/Contents/Content/Location)[1]', 'nvarchar(max)') AS [SourcePath],

    dt.SDMPackageDigest.value('(/AppMgmtDigest/DeploymentType/Installer/InstallAction/Args/Arg)[1]', 'nvarchar(max)') AS [InstallCommandLine],

    dt.SDMPackageDigest.value('(/AppMgmtDigest/DeploymentType/Installer/UninstallAction/Args/Arg)[1]', 'nvarchar(max)') AS [UninstallCommandLine],

    dt.SDMPackageDigest.value('(/AppMgmtDigest/DeploymentType/DetectionMethod/Setting)[1]', 'nvarchar(max)') AS DetectionSetting

FROM v_ConfigurationItems dt

INNER JOIN vSMS_CIRelation rel ON dt.CI_ID = rel.ToCIID

INNER JOIN fn_ListLatestApplicationCIs_List(@LocaleID) app ON app.CI_ID = rel.FromCIID

INNER JOIN v_Package p ON p.SecurityKey = app.ModelName

INNER JOIN vSMS_ContentPackage cp ON cp.PkgID = p.PackageID

INNER JOIN dbo.Fn_Listdeploymenttypecis(1033) AS Dtt ON Dtt.AppModelName = app.ModelName

INNER JOIN fn_ListLatestApplicationCIs(1033) AS ab ON ab.ModelName = app.ModelName

INNER JOIN v_Package pkg ON pkg.SecurityKey = ab.ModelName

INNER JOIN v_Applications ad ON ad.ModelID = app.ModelID

WHERE dt.CIType_ID = 21 -- Deployment Type

  AND dt.IsLatest = 1;  -- Latest version only